Securing By Design

This article investigates how modern neo-liberal states are 'securing by design' harnessing design to new technologies in order to produce security, safety, and protection. We take a critical view toward 'securing by design' and the policy agendas it produces of 'designing out insecurity' and 'designing in protection' because securing by design strategies rely upon inadequate conceptualisations of security, technology, and design and inadequate understandings of their relationships to produce inadequate 'security solutions' to readymade 'security problems'. This critique leads us to propose a new research agenda we call Redesigning Security. A Redesigning Security Approach begins from a recognition that the achievement of security is more often than not illusive, which means that the desire for security is itself problematic. Rather than encouraging the design of 'security solutions' a securing by design a Redesigning Security Approach explores how we might insecure securing by design. By acknowledging and then moving beyond the new security studies insight that security often produces insecurity, our approach uses design as a vehicle through which to raise questions about security problems and security solutions by collaborating with political and critical design practitioners to design concrete material objects that themselves embody questions about traditional security and about traditional design practices that use technology to depoliticise how technology is deployed by states and corporations to make us 'safe'

Particularities of security design for wireless networks in small and medium business (SMB)

Small businesses often have small budgets, which often means no fulltime IT staff or no possibility to hire a security consultant to set up a wireless LAN properly. This paper tries to develop a methodology for designing security for wireless networks in SMB. There are more security options to choose from, when setting up a wireless network, thus the security features needed for a company must be carefully taken in consideration. The benefits from one security feature must be balanced with the implementation and maintenance cost and with the risk of not getting the security level wanted.security, wireless, communication networks

Usable Security: Why Do We Need It? How Do We Get It?

Security experts frequently refer to people as “the weakest link in the chain” of system security. Famed hacker Kevin Mitnick revealed that he hardly ever cracked a password, because it “was easier to dupe people into revealing it” by employing a range of social engineering techniques. Often, such failures are attributed to users’ carelessness and ignorance. However, more enlightened researchers have pointed out that current security tools are simply too complex for many users, and they have made efforts to improve user interfaces to security tools. In this chapter, we aim to broaden the current perspective, focusing on the usability of security tools (or products) and the process of designing secure systems for the real-world context (the panorama) in which they have to operate. Here we demonstrate how current human factors knowledge and user-centered design principles can help security designers produce security solutions that are effective in practice

Acoustic Integrity Codes: Secure Device Pairing Using Short-Range Acoustic Communication

Secure Device Pairing (SDP) relies on an out-of-band channel to authenticate devices. This requires a common hardware interface, which limits the use of existing SDP systems. We propose to use short-range acoustic communication for the initial pairing. Audio hardware is commonly available on existing off-the-shelf devices and can be accessed from user space without requiring firmware or hardware modifications. We improve upon previous approaches by designing Acoustic Integrity Codes (AICs): a modulation scheme that provides message authentication on the acoustic physical layer. We analyze their security and demonstrate that we can defend against signal cancellation attacks by designing signals with low autocorrelation. Our system can detect overshadowing attacks using a ternary decision function with a threshold. In our evaluation of this SDP scheme's security and robustness, we achieve a bit error ratio below 0.1% for a net bit rate of 100 bps with a signal-to-noise ratio (SNR) of 14 dB. Using our open-source proof-of-concept implementation on Android smartphones, we demonstrate pairing between different smartphone models.Comment: 11 pages, 11 figures. Published at ACM WiSec 2020 (13th ACM Conference on Security and Privacy in Wireless and Mobile Networks). Updated reference

Integrating security and usability into the requirements and design process

According to Ross Anderson, 'Many systems fail because their designers protect the wrong things or protect the right things in the wrong way'. Surveys also show that security incidents in industry are rising, which highlights the difficulty of designing good security. Some recent approaches have targeted security from the technological perspective, others from the human–computer interaction angle, offering better User Interfaces (UIs) for improved usability of security mechanisms. However, usability issues also extend beyond the user interface and should be considered during system requirements and design. In this paper, we describe Appropriate and Effective Guidance for Information Security (AEGIS), a methodology for the development of secure and usable systems. AEGIS defines a development process and a UML meta-model of the definition and the reasoning over the system's assets. AEGIS has been applied to case studies in the area of Grid computing and we report on one of these

Measuring information security breach impact and uncertainties under various information sharing scenarios

This study draws on information theory and aims to provide simulated evidence using real historical and statistical data to demonstrate how various levels of integration moderate the impact and uncertainties of information security breach on supply chain performance. We find that the supply chain behaves differently under various levels of integration when a security breach occurs. The entropy analysis revealed that the wholesaler experience the most uncertainty under system failure and data corruption. This sort of impact-uncertainty information will aid in designing and managing a resilient supply chain poised for minimal breach impact